oss-sec mailing list archives

Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)

From: Jan Schaumann <jschauma () netmeister org>
Date: Fri, 16 May 2025 11:01:53 -0400

Matthias Gerstner <mgerstner () suse de> wrote:

we were surprised to find a local root exploit in
the Screen 5.0.0 major version update affecting distributions that ship
it as setuid-root (Arch Linux and NetBSD).


I think it's useful to clarify here that NetBSD does
_not_ ship with GNU screen(1) at all.  NetBSD's
third-party package manager pkgsrc[1] includes
screen(1), allowing users to install additional
software on top of the base OS.

That package as included in _pkgsrc_ was installed
setuid[2], but a NetBSD base installation does not
include that package.  (NetBSD happens to include
tmux(1) _in the base OS_, but not screen(1).)

This distinction between a base OS and add-on software
that is optionally available for users to choose tends
to cause confusion for some people, so I figured
it's worth noting.

-Jan

[1] https://www.pkgsrc.org/
[2] now no more since
    https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=59417

Current thread:

screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Matthias Gerstner (May 12)
- Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Dr. Thomas Orgis (May 13)
  - Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Dr. Thomas Orgis (May 13)
    - Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Simon McVittie (May 13)
  - Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Matthias Gerstner (May 14)
- Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Mark Esler (May 13)
  - Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Matthias Gerstner (May 14)
    - Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Stuart Henderson (May 15)
    - Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Matthias Gerstner (May 16)
- Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Jan Schaumann (May 16)
  - Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Eli Schwartz (May 16)
    - Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Taylor R Campbell (May 16)
    - Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Eli Schwartz (May 16)
    - Re: describing affected systems (was: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)) Jacob Bachmeyer (May 16)
    - Re: describing affected systems (was: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)) Jan Schaumann (May 17)
    - Re: describing affected systems (was: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)) Taylor R Campbell (May 17)
    - Re: describing affected systems Eli Schwartz (May 18)